Some of the names in the list of bogus certificates generated by the attackers include Comodo, Google, Thawte, Microsoft, Mozilla, WindoswUpdate, WordPress’ MI6, the CIA, Facebook and Twitter.

For three whole months ( June to August), the attacker camped out on DigiNotar’s servers and did his/her work and cleaned up. S/He was even kind enough to leave a message in a script file that was used to generate the rogue certificates.

The question now is, how much trust should we place on these providers of digital certificates? A few months ago (March 2011), a subsidiary of Comodo was hacked apparently by the same person. Here’s why I am concerned, and I’ll quote from page 9 of the report:

The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.

The most critical servers contain malicious software that can normally be detected by anti-virus software

The separation of critical components was not functioning or was not in place

The CA (Certificate Authority) servers were accessible over the network from the management LAN

All CA servers were members of the same Windows domain (and they all apparently used the same user/password combination)

The password was not very strong and could easily be brute-forced

The software installed on the public web servers was outdated and not patched

No antivirus protection was present on the investigated servers

No secure central network logging was in place

The breach has led to the revocation of a lot of digital certificates – over 500 so far and the breach prompted Mozilla to take measures so “that all DigiNotar certificates will be untrusted by Mozilla products,” which includes the Firefox browser. Google’s Chrome browser also placed DigiNotar certificates on a permanent block list.

It is inexplicable that after the attention that the Comodo breach garnered and the recent spate of hacks against RSA, Barracuda, Citigroup and a host of other high profile targets, that the management at DigiNotar did not deem it wise to do due diligence and execute some element of due care.

This is even more depressing because from this F-Secure blog, the company has been hacked before, back in May of 2009.

Look at the bullet points above again and tell me if those are not things that could have been fixed. And beyond that, what role has their auditor play in this mess? It will be ridiculous to assume that they were not paying an external party to audit their environment. Why did an auditing firm not raise a red flag over these lapses? Is this another case of check box auditing that has come to bite DigiNotar in the ass?

The larger concern is how can we continue to trust DigiNotar and other certificate authorities to help ensure that there is no eavesdropping on secure communications between users and the sites they visit? After all, anyone armed with a rogue certificate for a web firm or service can impersonate that organization and get at communications that would otherwise be impossible to read because they are encrypted.

Update:

As Russ Bellew posted, DigiNotar filed for bankruptcy and their fate should be a wake-up call to other Certificate Authorities and indeed all companies with an internet presence. After all, the DigiNotar hacker did say that four other major CA’s were on the chopping block.

Similar posts

Why We Should Thank, Not Demonize LulzSec, Anon
—
So the 50-day cruise is over and the guys at LulzSec are going back underground. That should worry some of us because if they did not want us to know what they were doing, I don’t think any sane person would argue that they could not have done so. While the media has been abuzz [...]

The Distribute IT Fiasco: Risk Management Done Wrong
—
“It is not the strongest species that survive, nor the most intelligent, but the ones most responsive to change” – Charles Darwin. In today’s business world, where organizations face ever-escalating customer demands and expectations and little room for downtime, logic dictates that businesses today are seriously revamping their business continuity and risk management plans, or [...]

How to Upgrade Windows 7 from RC to Final
—
The recent buzz in the technology world has been the upcoming release of the finished build (RTM) of Windows 7. Already, subscribers to Microsoft Technet have been granted access to the final release. But for those who installed the Release Candidate (RC), it will probably come as a shock to find out that there is no direct upgrade [...]